What You Need to Know About GDPR: Interpretation and Implementation

Disclaimer: The content in this blog post is created only for informational purposes for a wider general audience. Author does not intend to provide legal or professional advice.

First of all, What Actually is GDPR?

The General Data Protection Regulation (GDPR) [Regulation (EU) 2016/679] is a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the EU. The GDPR was adopted on April 27, 2016, and after a two-year transition period, it will become enforceable starting May 25, 2018. Unlike a ‘Directive’, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable.

It replaces the Data Protection Directive, which was adopted in 1995 to regulate the processing of personal data within the European Union. The GDPR extends the scope of the EU data protection law to all foreign companies processing the data of EU residents.

How Helpshift is Aiding Customers with their GDPR Compliance Efforts

In preparation for the May 2018 deadline, Helpshift has been working with its customer base to ensure that all impacted businesses are able to meet the GDPR requirements. Here is what affected brands should be aware of:

• Tools and Processes: We are building tools and processes that will help our customers to adhere to the data-subject rights such as the Right to be Forgotten and Data Access/Portability.
• Data Processing Amendments: We are creating a ‘Data Processing Addendum’ for our customers and vendors. These are nothing more than an extension of our agreement terms that include additional provisions required for GDPR compliance.
• Policies: We are modifying our privacy policies, complaint handling policies and agreement terms to include additional provisions.
• Standard Contractual Clauses (SCC’s): Since the Schrems II decision announcement in July 2020, Helpshift has updated its processes with regards to treatment of Trans-atlantic data transfers. Data transfers from the EU to the US are covered by the incorporation of Standard Contractual Clauses (SCC’s) within the Data processing agreement with the Customer. These clauses are promulgated by the European commission and are currently the mechanism in place at Helpshift to treat cases of EU-US data transfers. However we also do engage with some customers who request review of our data security policy and standards, as the SCCs are only an interim mechanism and may be subject to amendment.

Key Learnings for Businesses who are Working Towards GDPR Compliance

• What is Classified as “Personal Data” under GDPR: GDPR extends the scope of what is considered “personal data”— and there is no exhaustive list of attributes that can be mapped to all that is collected. This includes any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, by name, identification number, location data, or an online identifier based one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Differentiating between Data Controller/Processor/Sub-processor: ‘Controller’ refers to the purpose and means of the processing of personal data. ‘Processor’ processes personal data on behalf of controller. ‘Sub-processor’ processes personal data on behalf of another ‘data processor’. This is a bit convoluted, but chances are that many companies are using multiple roles at the same time for different types of personal data. It’s important to differentiate between these, as the requirements vary among them.
• Implementing Data Discovery: Finding out which data is being collected, why it is being collected and also how it is being stored and processed it is not as simple as it seems. These are the questions that need to be addressed:

1. Out of all data collected, what can be attributed as personal data?
2. Where is it stored in the entire business eco-system, both on-premise as well as in private and public clouds?
3. Is some of the personal data being handled by any external business partners, service providers and vendors?
4. What personal data is playing the respective roles of controller, processor, and sub-processor?

• Understanding Data Subject Rights: The GDPR provides the following rights for EU individuals (data subjects). Data Controllers are obliged to respect these rights under the EU data protection law. Some of these rights apply to data processors depending on the level or extent of data processing as well.

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling

• Data Security Awareness: While implementing the suggested tools helps ensure that these rights are not violated, the basis for the principle of privacy data security may get overlooked. Though GDPR does not specify the actual technical or organizational controls that are necessary for data security, one can refer to ISO 27001 or SOC2 as a framework for best practices around information and data security.
• Staying informed of Complexity, Scope and Penalties: It is also massively important to note the following regarding the breadth and depth of this regulation, and the effects of noncompliance.

1. GDPR requirements are complex and time-consuming to implement since they impact many teams and departments including product engineering, IT, operations, legal, sales, and marketing.
2. These requirements are widely applicable internationally, due to the wide and vague definition of ‘Personal Data’ and the fact that there are no limitations like country and state.
3. There are massive penalties for non-compliance.

Final Words

GDPR is one of the most widely-reaching privacy and data protection laws ever created, and with today’s complex IT environments, it is even more challenging to ensure that the entire business eco-system is compliant.

Helpshift has sought assistance from legal experts who specialize in Privacy Protection throughout the implementation process. This is important to consider as both legal and technical interpretations of the regulations must be in sync. Helpshift has heavily invested significant resources towards interpreting and implementing GDPR regulations for full compliance, and is committed to help customers, partners, and vendors in their respective efforts.